[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Telnet users see all

Subject: Re: [cobalt-users] Telnet users see all
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Tue Feb 13 16:24:52 2001
Organization: nobaloney.net
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

John Parris wrote:

> > If I telnet into my raq as a site admin I can go all over the
> > drive, see the root, see other sites on the raq, see the user
> > names of other sites, etc.
> >
> > Is this supposed to be this way?
> 
> Unfortunately that's the default configuration from Cobalt. I once fixed
> that on a RAQ2 but it has been a while. I'm going to attempt it on my RAQ3
> as well.

If you figure out how to chroot telnet on a RaQ; in fact if you figure
out how to reliably chroot telnet on any linux system at all, please let
us all know (all meaning the entire linux community).

Linux, like unix works with permissions.  Note the following directory
entry first column:

-rwxr-xr--

The first column "dash" means the file is NOT a directory.

The next three characters are the permissions for the owner of the file:
this entry shows the owner of the file can read, write, and execute the
file.  The second three characters are the permissions for members of
the group that owns the file.  In this case, members of the group can
read and execute the file.  The third three characters are for all other
users who can somehow see files on the system, via ftp, telnet, through
a browser, whatever; in this case these users can read the file.

So if your site admin can telnet in, he can see these files.  Most files
can be read by these "others" because you want to run most programs
without special privileges.

So you ask, why can't I just write a copy of bash (for example) that
can't cd down pas the login directory?  Actually you can.  But remember,
linux/unix is made up of lots of small files.

The "ls" command is a program file.  So is the "cp" command, "chmod,
chown, cat, etc.  So if you chroot bash, then you have to have copies of
all of the commands your user will need, in HIS path.  Lots of extra
files.  Lots of extra places to look for trouble.

Linux/unix are NOT designed to be secure operating systems.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
nobaloney.net
P. O. Box 52672
Riverside, CA  92517
voice: (909) 787-8589  *  fax: (909) 782-0205

Follow-Ups:
- RE: [cobalt-users] Telnet users see all
  - From: John Parris
- Re: [cobalt-users] Telnet users see all
  - From: Jens Kristian Søgaard

References:
- RE: [cobalt-users] Telnet users see all
  - From: John Parris

Prev by Date: Re: [cobalt-users] RAQ4: DNS questions
Next by Date: Re: [cobalt-users] majordomo "who" command
Previous by thread: RE: [cobalt-users] Telnet users see all
Next by thread: RE: [cobalt-users] Telnet users see all

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index